An ISO 13485 requirements checklist makes a demanding standard manageable. Beyond the usual quality-system documents, ISO 13485 requires artefacts unique to medical devices — a quality manual, a medical device file for each device or family, and extensive records for traceability. This ISO 13485 requirements checklist walks through the documents, procedures, and records auditors expect so nothing is missed.

The two documents unique to ISO 13485
- Quality manual (4.2.2) — still required, unlike ISO 9001:2015 which dropped it. It describes the scope of your QMS, its procedures, and the structure of your documentation.
- Medical device file (4.2.3) — for each device type or family: product specifications, manufacturing, labelling, and servicing information.
The mandatory documented procedures
ISO 13485 explicitly requires documented procedures for, among others:
- Control of documents and control of records (4.2.4 / 4.2.5)
- Management review (5.6)
- Competence and training (6.2)
- Risk management across product realization (7.1) — see risk management and ISO 14971
- Design and development (7.3)
- Purchasing (7.4)
- Production and service provision, including validation and (where relevant) sterile-device and cleanliness controls (7.5)
- Identification and traceability (7.5.8–7.5.9)
- Control of monitoring and measuring equipment (7.6)
- Feedback and complaint handling (8.2.1 / 8.2.2)
- Reporting to regulatory authorities (8.2.3)
- Internal audit (8.2.4)
- Control of nonconforming product (8.3)
- Corrective and preventive action — CAPA (8.5.2 / 8.5.3)
The key records
- Management review results
- Training and competence records
- Design and development records (inputs, outputs, reviews, verification, validation, transfer, changes)
- Purchasing and supplier evaluation records
- Traceability records (and, for implantable devices, enhanced traceability)
- Complaints and adverse-event / regulatory reporting
- Internal audit, nonconformity, and CAPA records
Important: The exact documentation depends on your device, its risk class, and the markets you sell into. Always confirm against ISO 13485:2016 and the specific regulatory requirements that apply to you.
Skip the blank page.
The ISO 13485 Toolkit includes the quality manual, every required procedure, design and risk-management templates, and CAPA forms — auditor-written and mapped to ISO 13485:2016.
How to work through your ISO 13485 requirements checklist
Unlike ISO 9001, ISO 13485 keeps several documents explicitly mandatory, so start there: a quality manual, a medical device file per device, and documented procedures for areas like design controls, CAPA, complaint handling, and traceability. Then layer in the records that prove control — device history, risk management outputs, validation results, and post-market surveillance. Regulatory requirements sit alongside the standard, so map each item to the markets you sell into. The standard is published by ISO, and building your ISO 13485 requirements checklist device-by-device keeps it aligned to how you actually design and manufacture.
Frequently asked questions
Is a quality manual still required?
Yes — ISO 13485 retained the quality manual requirement even though ISO 9001 removed it.
What is the medical device file?
A compiled set of documents demonstrating conformity for each device type — effectively the QMS record of that product.
New to the standard? Start with our complete guide to ISO 13485.
Keep the checklist current: design changes, new devices, and evolving regulations all ripple into your documentation, so treat it as living rather than a one-time deliverable. And if you already run ISO 9001, expect ISO 13485 to demand far more rigour — where ISO 9001 says ‘where necessary,’ ISO 13485 often simply says ‘shall.’
One more thing many teams miss: ISO 13485 expects you to document the roles and responsibilities for regulatory activities and to keep records that demonstrate management’s ongoing involvement. Fold these into your ISO 13485 requirements checklist from the start, because retrofitting governance evidence just before an audit is far harder than capturing it as you go.
It also pays to think in terms of the record set a device generates over its life. A complete ISO 13485 requirements checklist accounts for the medical device file, the design history that shows how the device was developed, the device master record that defines how it is made, and the device history records that prove each batch was made to specification. Getting these connected — so any device can be traced from design intent through production to the field — is exactly the traceability an auditor will test.
